[Snort-users] False positive on sid:17246

Alex Kirk akirk at ...1935...
Wed Sep 15 13:02:23 EDT 2010


You're not the only one. We're already reviewing the best way to update the
rule based on a FP report we got in this morning. We'll have a new version
out in the next 1-2 SEUs.

On Wed, Sep 15, 2010 at 12:39 PM, Andy Berryman <aberryman at ...14758...>wrote:

> Anyone getting false positives on this? I just did a rule update this
> morning am now getting tons of events for this all of a sudden.
>
>
>
> SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion
> attempt
>
>
>
> Just seeing if anyone else is experiencing it? It looks like they are
> triggering on gzip files.
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100915/5651878d/attachment.html>


More information about the Snort-users mailing list